From 591ed1e90503817938ccf5f127e677a8dd48b6d8 Mon Sep 17 00:00:00 2001

From: Simon Kelley <simon@thekelleys.org.uk>

Date: Mon, 11 Jul 2016 18:18:42 +0100

Subject: [PATCH] Fix bad behaviour with some DHCP option arrangements.

The check that there's enough space to store the DHCP agent-id

at the end of the packet could succeed when it should fail

if the END option is in either of the oprion-overload areas.

That could overwrite legit options in the request and cause

bad behaviour. It's highly unlikely that any sane DHCP client

would trigger this bug, and it's never been seen, but this

fixes the problem.

Also fix off-by-one in bounds checking of option processing.

Worst case scenario on that is a read one byte beyond the

end off a buffer with a crafted packet, and maybe therefore

a SIGV crash if the memory after the buffer is not mapped.

Thanks to Timothy Becker for spotting these.

---

 src/rfc2131.c | 5 +++--

 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/rfc2131.c b/src/rfc2131.c

index b7c167e..8b99d4b 100644

--- a/src/rfc2131.c

+++ b/src/rfc2131.c

@@ -186,7 +186,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,

 	     be enough free space at the end of the packet to copy the option. */

 	  unsigned char *sopt;

 	  unsigned int total = option_len(opt) + 2;

-	  unsigned char *last_opt = option_find(mess, sz, OPTION_END, 0);

+	  unsigned char *last_opt = option_find1(&mess->options[0] + sizeof(u32), ((unsigned char *)mess) + sz,

+						 OPTION_END, 0);

 	  if (last_opt && last_opt < end - total)

 	    {

 	      end -= total;

@@ -1606,7 +1607,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt

 {

   while (1) 

     {

-      if (p > end)

+      if (p >= end)

 	return NULL;

       else if (*p == OPTION_END)

 	return opt == OPTION_END ? p : NULL;

-- 

2.9.3